This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Cloud - Top 5 Risks with PAAS

Jump to: navigation, search

According to wikipedia, Platform as a service' (PaaS) is the delivery of a computing platform and solution stack as a service. It facilitates deployment of applications without the cost and complexity of buying and managing the underlying hardware and software layers providing all of the facilities required to support the complete life cycle of building and delivering web applications and services entirely available from the Internet—with no software downloads or installation for developers, IT managers or end-users. PaaS offerings include workflow facilities for application design, application development, testing, deployment and hosting as well as application services such as team collaboration, web service integration and marshalling, database integration, security, scalability, storage, persistence, state management, application versioning, application instrumentation and developer community facilitation. These services are provisioned as an integrated solution over the web.

The top 5 security concerns are:

1: Business Continuity Planning and Disastor Recovery with PAAS vendor. Example: Windows Azure platform, Microsoft's cloud computing platform, suffered an outage one weekend in March, 2009. Had your enterprise been using the service, how would the outage have affected the organization's ability to conduct business? Alternatively, it would have been Microsoft's responsibility to fix it, not your IT team's (but be careful; your executive team may not see the distinction).

2: Lack of Secure Software Development Process with PAAS vendor. One PAAS offering is the SDLC. The Secure SDLC (SSDLC) is still new and not widely used. The lack of SSDLC could mean insecure code.

3: Vendor Lock In: Platform as a Service (PaaS) vendors tend to dictate the database, storage and application framework used, so what about those legacy applications? Enterprises will still require the skills and infrastructure to be able to run them.

4: Lack of adequate provisions in SLA. the Cloud Computing Bill of Rights provides a useful checklist of protection with which to benchmark a supplier's offering. The upcoming National Institute of Standards and Technology (NIST) Cloud Computing Security publication will do a lot to standardize federal-compliant cloud infrastructures and need to be followed.

5: How to meet compliance demands and control risks when work with a PAAS Vendor